Botnets and malware programs are using the Hypertext Transport Protocol (HTTP) user-agent field for communicating with a command and control server. Recently discovered advanced persistent threats have shown malware using an HTTP client to beacon out to command and control systems. Sometimes a user agent helps in identification by signature-based techniques, as in the malware IKEE.B Botnet for the Apple iPhone. This malware uses the HTTP wget command with the user agent.
Malware authors have become aware that anti-malware systems are aware of this usage of the user-agent field and have taken countermeasures. Botnets now have begun randomizing their HTTP communications to bypass user agent signature-based anti-malware defenses. They can employ a built-in mechanism that can generate random user agents while downloading secondary payloads. Thus a rethinking of the way in which anti-malware system detect command and control communication would be desirable.
In addition, even where the malware or botnet systems are not randomizing the user-agent identity information, signature-based detection can only detect known threats which have previously identified malware signatures. A way of detecting zero day (previously unknown) malware would be desirable.